Bitcoin Forum

I am really horrified now!

when I withdrew money from somewhere i see i copied and pasted addy ,but when i not got for a long time i searched whats the issue and i see funds sent to : 19ZM2pjq6U4jVb283GZkCPNukjeyb2YZ2u

and now I see this is a virus address , its a virus where u copy anything but this : 19ZM2pjq6U4jVb283GZkCPNukjeyb2YZ2u will be pasted, no matter , what !

I have searched internet more and saw someone else had same issue

please help me !

Backup wallet.dat and the blockchain (depending on what wallet you are using) and reinstall OS.

Run a live linux OS from a usb drive and recover your wallet.dat/ withdraw your money then reinstall your OS. (i prefer using a linux OS instead of windows)

what extensions you installed in browser? there have some nasty ones in the past that would change the btc address.  eg one originally started as an innocent price ticker, then gets updated with malicious code a few months later when adoption has increased  :(


try running a clean profile or a different browser and see if it happens again to isolate the cause

Disconnect from the internet and run an antivirus off a linux live os. That's the first time I heard of such a virus. Do be careful.

everything you need is sent ALL OF YOUR COIN TO ANOTHER using DRAG(click on your address and press it to another web wallet) then REINSTALL YOUR OS .

because i ever experience that

OP name the browser extension..

that way people know what to stay away from

im guessing if its not abrowser extension that 'suppose to' aid copying addresses instead of manually writing them..
then the other option is probably the OP downloaded one of them crappy "bitcoin generator" programs(no positive function and just a trojan) after watching a get rich with bitcoin hacks video.. as that is another big scam that people have been crying about

virus does not enter into your computer of its own will, so you must have installed somethign suspicious and forget about it

try to run malwarebyte + hitmanpro, then you have combofix, or a secure erase if nathing will solve it

So nobody asks about his technical specs? I'm no IT support but that's the first thing we should be doing I think. It's most likely like others have said that you've installed spyware/malware. This is usually downloaded from pirate download sites, porn sites, etc. Please keep us posted.

look at this post
https://bitcointalk.org/index.php?topic=1317718.msg13575511#msg13575511

someone use that address

So is this replacing your pasted data, aka if you were to actually recheck the address after pasting would it be the incorrect address?

This is because of some file or a script that work in background .It must have come with something . I think it is with some software . I think you have installed a new software which runs the command in cmd to do it.

Can you please give me a view of a task manager- process section & startup section , i think i can crack which file it is working in background. If you want to keep up the softwares and files and dont lose them up . You have to end that process which is working in background everytime you run up your PC or you can remove that up from program startup like this:-


1)Press Win-r . In the "Open:" field, type msconfig and press Enter .
2)Click the Startup tab.
3)Uncheck the items you do not want to launch on startup. Note: ...
4)When you have finished making your selections, click OK.
5)n the box that appears, click Restart to restart your computer.

There is a solution : Reset your PC

Reset is an option which allows you to reinstall OS with the option to KEEP THE FILES OR NOT.

What things affects:-

a) all the software you had installed are gone,but you can keep up with the files.

https://i.imgur.com/HQlfr4p.jpg


So does that mean bx2.club behind it ? ???

This is very worrying. Do you know where did you could have gotten that virus? It would be great to know where is this menace coming from.

Nice find, also further research led me to find someone who uses Bitcoin on facebook who has the name of that user account that may own that address, not sure if there's a naming and shaming policy at all here so will refrain from posting it although it's an easy find.

@txbtc, this is the best option that you can do... Next step, improve your security and change your habits.

seems like its not a virus..
but people naively using blockchain.info to view transactions after its sent..

seems there is a bug on blockchain.info involving how they display transactions on the website

Could you explain abit more about this franky, i use blockchain.info all the time  :o

although most of my wallets are watch only.

someone else in this thread posted
https://bitcointalk.org/index.php?topic=1317718.msg13575511#msg13575511

it showed people complaining that when they looked at blockchain.info they seen tx's going to that magical address..

later posts mentioned that the transactions appeared where they should have gone and that it was a bug in the blockchain.info service displaying wrong details..

i advise you to not rely on just blockchain.info..

instead use the API of atleast 3 different explorers and a couple lines of code to compare the results from the 3 explorers.. and if one is wrong, ignore it. that way you have more chance of relying on data spoonfed to you if it comes from different sources and compared against each other

Hey, thanks really you seem to help me.

Please can u help me, give me ur skype i will tell u all process running on my pc

ive heard about it before, but im not really sure what kind of malware this is. i suggest you download malwarebytes to scan your computer. its free and its pretty good imo.

http://prntscr.com/9rb6o0

these are processrunning, any wrong one ?

As digit asked, can you tell us if you installed any extension (browser add-on) recently, it can be because of that, a few months ago an extension opened automatically a website.

none installed bro
only have these ones : http://prntscr.com/9rbd0z

I think that's the time to install an anti clipboard logger software, take a look here how it works: https://www.spyshelter.com/clipboard-protection/ ,if you still have the issue please install this app and try if it fixes the issue.

This is why I recommend getting something like an Intel NUC dedicated to bitcoin.

Put Linux on it, and do not run any browser plugins or extensions, and do not use Chrome for Linux (it is closed source) on it.

Such a PC should only be used for your bitcoin activity, not general browsing. Not even browsing this forum. Just use it for bitcoin.

You can run a wallet on your normal PC just like you can keep some fiat cash in your leather wallet, but keep the value low.

btw flash (even in Chrome) is dangerous because flash allows programs loaded from web pages to manipulate the clipboard. Get rid of flash even on computers that you don't use with bitcoin.

Good idea, if OP is knowledgeable he could even do something similar on a less pricey option such as a Raspberry Pi.

Good information here. I have been trying to do all bitcoin activity on only ONE computer in the house, with no internet browsing.

Sorry for your troubles. Time to consider using a hardware wallet with a screen like Trezor.

Check browser extensions/unknown startup entries and remove them. You can use CCleaner for it.

That seems to be a bit overkill. Basic security is enough for average quantities of Bitcoin. Even if you don't have any Bitcoin on your computer at all, the issue that the OP is talking about could happen too.

The cheapest Intel NUC seems to be at 99$, as per their website. For that price I'd think in buying a Trezor (which still doesn't avoid the issue OP talked about, but can keep your Bitcoins secure while being able to spend them on an online computer)

You don't necessarily need a new computer for offline cold storage, you can use an old one, your usual computer with a different disk or in live mode. There's also ledger and Raspberry's/Banana Pi/ODROID, etc.

I just waited the moment this type of malware will occur. It's Windows, right? ;)

I can't say for sure if it windows, but the type of malware is ingenious to be honest. Most people would not look at the address twice to make sure its the right thing, so it is inconspicuous enough that it would not be noticed (As in OP's situation) unless someone was actively looking for it.

I am interested in seeing where this goes.

That's one of the reasons I do not like QR codes.

It may seem overkill but the bottom line is that bitcoin has no FDIC insurance and no way to reverse a transaction.

Overkill thus is much safer than finding out you did not do enough.

Prevention: This is because generally we do not read carefully and keep on installing softwares by hitting" NEXT" button. Nowadays additional softwares are coming up with the software.Also some scammers are patching up addtional malware instead of software. Also keygens and cracks also comes up with virus. I am saying this is because i lost my previous email address because of it. And also some infos of my other sites were stealed. It later came to notice when i got an email from google about my id been logged from different ip address

So it is highly recommended to use only trusted and secure download link. And please read carefully while installing software.

For OP i would say to

1) Backup Wallet.dat
2). Reset os (check my previous post in 1 st page)

yes this is virus.
i transfer 0.08 bitoin to this m...f.... account.
I found what's happen. this was a virus address !!!
19ZM2pjq6U4jVb283GZkCPNukjeyb2YZ2u

As far as I know there is no risk in publicly telling all of your processes.. so make an screenshot of your processes and show them in here so everyone can help. Also don't use the default task manager from Windows, download Process Explorer because it gives more specific info about the processes. Also I recommend you run HijackThis and copy paste the log here.

ah i never know about virus like this,yeas its horrible,i'm start to afraid with my address. but is this happen to all wallet or exchange?
i wish this case can found the solutions.

The processes running by OP are : http://prnt.sc/9rb6o0 (http://prnt.sc/9rb6o0) (screenshot)

---

After searching a bit i found that This address belongs to devil11 (https://bitcointalk.org/index.php?action=profile;u=495476)

Proofs :

https://bitcointalk.org/index.php?topic=1317199.msg13993198#msg13993198 (https://bitcointalk.org/index.php?topic=1317199.msg13993198#msg13993198)

What is the chance of that user being infected with the same virus and he posted that by mistake? It would be very stupid to post a addy that is

being used by a virus on the forum.  ::) Send the user a PM and see if you can get a answer or a explanation. Good catch, if it turns out to be the

same person.  ;D I have heard about this before and for that reason I double check all my addresses before I submit payment.

Ouch I haven't encountered this kind of malware before but it looks like a nasty and sneaky way of losing your coins if you don't pay attention to what address does appear before sending the coins. Do you know what may have caused this malicious thing to happen? I don't think it's a virus it's probably some script running in your background processes.

Sounds like Trojan.Coinbitclip (https://www.symantec.com/security_response/writeup.jsp?docid=2016-020216-4204-99) or a new variant.

is that virus really dangerous for us?i mean all people with same wallt with OP. why must be reinstall the OS?is that virus can't cleaned with any good anti virus?

This really is disturbing. One issue I keep running into on my cell is it sometimes opens a link I am not wanting to click,such as signatures or links in the thread. For this reason I try to limit my time on my cell and surf here on a desktop instead.

I copy and paste addresses all the time and always check the first little bit of the address but I guess I need to be more diligent in the future.

wow now that's fucking sneaky would be even better if it could detect and change the copy/paste only when you try to copy a Bitcoin address. But still really sneaky.

Wow hackers already developed an virus to hit the transfers .This is just a big problem and i believe you wont be the first and neither the last to get this virus or similiar virus,soo how did you find those virus and where you had been till you find those virus,im glad i always check more then once the adress to make the payments,but i believe you arent able to change it even using another computer? I had founded this adress on the transactions made from the adress you post op ,https://blockchain.info/pt/address/1FXqE2ixnnSB1kvwbMtWma5xQ2bVbkSq3f is this the adress of the virus or some casino?

Never heard of this before. Thanks for notifying the public on this one.